public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
212 Commits 29 Branches 41 Tags 50 MiB
Commit Graph

80 Commits

Author SHA1 Message Date
Mike Bland e4626c1360 Sign Upstream requests with HMAC. closes #147 2015-11-15 22:09:30 -05:00
Mike Bland 462f6d03d2 Extract Authenticate for Proxy, AuthenticateOnly 2015-11-09 10:32:16 -05:00
Mike Bland e61fc9e7a6 Add /auth endpoint to support Nginx's auth_request 
Closes #152.
 2015-11-09 10:31:41 -05:00
Brandon Philips 6db18804f3 *: rename Oauth to OAuth 
Be consistent with Go capitalization styling and use a single way of
spelling this across the tree.
 2015-11-09 00:57:01 +01:00
Brandon Philips 1ff2fce25b oauthproxy: rename Uri to URI 
Be consistent with Go coding style for acroynyms.
 2015-11-09 00:50:42 +01:00
Brandon Philips 51a2e4e48c *: rename Url to URL everywhere 
Go coding style says that acronyms should be all lower or all upper. Fix
Url to URL.
 2015-11-09 00:47:44 +01:00
John Boxall a653c3eeeb Pass `ProxyPrefix` into the error template. 
The default `error.html` uses `ProxyPrefix` but it isn't supplied in the context, causing it to error.
 2015-10-03 15:59:47 -07:00
Jeppe Toustrup ffeccfe552 Add support for serving static files from a directory 
The path should be provided as a file:// url with the full operating system path.
An alias to where the directory is available as can be specified by appending
a fragment (ie. "#/static/") at the end of the URL.
 2015-09-24 15:37:45 +02:00
Justin Burnham 3fd8f911c2 google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
Justin Burnham 7dd5d299e1 Add support for setting the basic auth password. 
For tools that don't like empty passwords, this change allows
one to set a shared secret password for all users.
 2015-07-24 09:17:43 +00:00
mattk42 6cd3e72e09 Check email validity on all requests rather than only on login/refresh 2015-07-14 08:40:59 -06:00
Jehiah Czebotar d49c3e167f SessionState refactoring; improve token renewal and cookie refresh 
* New SessionState to consolidate email, access token and refresh token
* split ServeHttp into individual methods
* log on session renewal
* log on access token refresh
* refactor cookie encription/decription and session state serialization
 2015-07-02 23:09:11 -04:00
Jehiah Czebotar 8d50b372e4 immediately redeem refresh token for provider==Google 2015-06-23 13:56:14 -04:00
Jehiah Czebotar e9b5631eed cookie refresh: validation fixes, interval changes 
* refresh now calculated as duration from cookie set
 2015-06-23 07:51:00 -04:00
Jehiah Czebotar d78aa13464 v2.0 & cleanup changes 
* bump version to 2.0
* remove --cookie-https-only option
* add windows build to dist.sh
* rename --cookie-key to --cookie-name
 2015-06-12 13:07:26 -04:00
Jehiah Czebotar f5b2b20f67 support TLS directly 2015-06-07 23:14:48 -04:00
Jehiah Czebotar f5db2e1ff7 More complete HTTP error logging 2015-06-07 21:03:53 -04:00
Jehiah Czebotar 56d19b1c84 disable email validation; rename email-domain argument 
This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers
 2015-06-06 14:37:54 -04:00
tonymeng c5ccd43767 Enable specific oauth2proxy path; change cookie name to _oauth2proxy 2015-06-06 14:21:42 -04:00
Jehiah Czebotar b96a078839 Project Rename -> oauth2_proxy 2015-05-21 02:55:04 -04:00
Jehiah Czebotar 37b38dd2f4 Github provider 2015-05-21 02:21:19 -04:00
Mike Bland 8471f972e1 Move ValidateToken() to Provider 2015-05-21 02:06:23 -04:00
Jehiah Czebotar 9047920e90 Merge pull request #88 from 18F/auto-refresh 
Auto refresh auth token
 2015-05-11 22:24:50 -04:00
Mike Bland 5b07d9fcef Provide a robots.txt that denies all crawlers 2015-05-10 15:15:52 -04:00
Mike Bland 37f287bef4 Calculate cookie expiration from encoded timestamp 
Found out the hard way that _incoming_ cookies do _not_ have their expiration
timestamps encoded. To perform auto-refresh based on expiration time, we have
to recalculate it from the time encoded in the cookie value.
 2015-05-10 00:11:26 -04:00
Mike Bland 8ec967ac32 Check cookie_secret size when cookie_refresh set 2015-05-09 17:37:33 -04:00
Mike Bland 84190ab19a Validate user during cookie refresh 2015-05-09 16:54:27 -04:00
Mike Bland 610341a068 Make ProcessCookie() fail when cookie parse fails 2015-05-09 16:54:27 -04:00
Mike Bland bd4eae8fec Store access token when cookie-refresh is set 
cookie-refresh now no longer requires pass-access-token in order to work.
 2015-05-09 16:54:27 -04:00
Mike Bland b6e07d51b2 Validate access_token when auto-refreshing cookie 2015-05-09 15:09:31 -04:00
Mike Bland 25372567ac ValidateToken() to check access_token validity 2015-05-09 13:17:37 -04:00
Mike Bland 72857018ee Introduce `validate-url` flag/config 2015-05-08 17:13:35 -04:00
Mike Bland 8e2d83600c Implement cookie auto-refresh 
The intention is to refresh the cookie whenever the user accesses an
authenticated service with less than `cookie-refresh` time to go before the
cookie expires.
 2015-05-08 14:05:09 -04:00
Mike Bland f554f99abd Ensure all errors are logged in ProcessCookie() 2015-05-08 14:05:09 -04:00
Mike Bland beed9fb9a2 Extract MakeCookie() 2015-05-08 14:05:09 -04:00
Mike Bland 1bd90cefe7 Extract ProcessCookie() from ServeHTTP() 2015-05-08 12:41:22 -04:00
Mike Bland 9887ac3be5 Refactor cookie building and parsing 
Extracts buildCookieValue() and parseCookieValue() from OauthProxy.ServeHTTP()
and adds tests for both.
 2015-04-07 05:53:41 -04:00
Mike Bland cf79fd9e4c Refactor pass_access_token+cookie_secret check 
Moves the check from NewOauthProxy() to Options.Validate() and adds a test.
 2015-04-07 05:53:40 -04:00
Mike Bland 5f747bb768 Redirect to / when /oauth2/sign_in accessed 
Without this change, clicking the sign-in button on /oauth2/sign_in will
always redirect back to /oauth2/sign_in, essentially creating an infinite
loop.
 2015-04-06 22:10:03 -04:00
Mike Bland ad3c9a886f Pass the access token to the upstream client 
This is accomplished by encoding the access_token in the auth cookie and
unpacking it as the X-Forwarded-Access-Token header for upstream requests.
 2015-04-03 15:32:01 -04:00
Mike Bland 666e6ad436 Add ProviderName field; use in sign_in template 2015-03-31 12:59:07 -04:00
Mike Bland d9a945ebc3 Integrate Provider into Options and OauthProxy 2015-03-31 09:34:50 -04:00
Mike Bland 45286af4a4 s/18F/bitly/ in import path 2015-03-30 11:42:37 -04:00
Mike Bland 9d8f932797 Extract api package 
This is the first step towards genericizing the google_auth_proxy to support
OAuth2 providers other than Google as discussed in #65. The `api` package will
enable multiple providers to use the same `api.Request()` implementation.
 2015-03-30 10:23:30 -04:00
Jehiah Czebotar 16f2c981f3 fix upstream request path 2015-03-21 15:29:07 -04:00
Jehiah Czebotar b9b5e817fc improve request logging (closer to Apache Common Log) 2015-03-19 22:34:01 -04:00
Jehiah Czebotar 07c74f55c6 improve handling of cookie domains 2015-03-19 16:18:02 -04:00
Jehiah Czebotar de04e0c519 rename cookie secure flag 2015-03-19 14:08:17 -04:00
Jehiah Czebotar ebae065b11 make redirect_uri optional 2015-03-19 14:03:05 -04:00
Jehiah Czebotar 71ae70834d pass raw unencoded request URI upstream 2015-03-19 13:18:49 -04:00